Adobe backs down, will secure last generation of apps

Fixes for flaws in Flash, Illustrator, and Photoshop won't require an upgrade.

Late last week, Adobe set off a bit of a kerfuffle when it announced that three of its applications suffered from serious security flaws. They offered readers a simple fix: pay to upgrade to the latest version. Considering the latest version of the company's Creative Suite was less than a week old at the time, this represented both an extremely short period of support for the previous generation of software, and an extremely high price to fix a set of potential vulnerabilities. The move was widely panned by both security experts and Adobe customers.

In response to the negative press, the company has reversed course. On Friday, the company's security bulletins for Flash, Illustrator, and Photoshop were updated to indicate that the company is "in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." All of the vulnerabilities could potentially allow an attacker to arbitrarily execute code by corrupting memory. In the case of Photoshop, the application was vulnerable to maliciously crafted TIFF files.

Although Adobe's software has been the target of attacks before, these have generally focused on the consumer-oriented applications like Flash and the company's PDF Reader. But those instances were hardly a guarantee that its professional applications wouldn't be targeted. More generally, it would probably be a good thing if products with the sort of slow upgrade cycles that these enjoy aren't left behind within a week.